Learning From The British Airways Data Breach

Learning From The British Airways Data Breach
In September last year, British Airways revealed that thousands of customer records had been compromised -approximately 380,000 cards were affected by the breach.

The airline quickly took measures to advise all those affected to contact credit card companies and banks to inform them of the situation.

All businesses can learn from this event. Read on to discover more.


Not only were customer names, addresses, and email addresses stolen, but credit and debit card details were taken as well, including not just card numbers but the CVC (customer card verification code) which is the 3 digit number on the back of the card added as an extra security feature.

British Airways advised that passport and travel details were not amongst the data that had been taken.


British Airway's boss, Alan Cruz, apologized for the hack which he termed as a "sophisticated breach" of information security systems and promised compensation to all those affected.

He indicated that the data breach was very specific and took place between 21 August at 22:58 BST to 21:45 BST on 5 September and only affected those who made a booking during this timeframe.

The airline even went as far as to post adverts in newspapers following the breach as an apology, and no doubt as a means of trying to mitigate some of the reputational damage incurred.


Although no technical details were revealed about the breach, speculation by cyber-security specialists means that there are no suggestions as to how this might have been possible.

Experts stated that the very specific nature of the timeframe breach provided by British Airways may reveal some clues. In effect, this may mean that customer details were stolen at the point of entry if someone had managed to get a script on the website.

If this was the case, it would mean that literally as a customer typed in their bank or credit card details, this would be instantly extracted by malicious code on the website and the information sent straight to the hacker.


If the hack happened as cyber experts have described above it raises the ever-increasing problem of third-party code supply, which is known as a supply chain attack when things go badly wrong as they did for British Airways. By using a third party to run part of the website such as adverts, payment authorization or other features, companies may be exposing themselves to malicious hackers.

Another reason that experts think the data was lifted live from the website is that CVC codes are not usually stored by companies and are only used at the point of transaction. However, as this theory cannot be proven, it is also likely it could have been a company insider with devious motives who decided to tinker with the code.

In another report, cyber security experts deemed the attack on British Airways as "very worrying" and "astounding" and surmised that the full financial impact on customers may not be immediately obvious as their card details may yet pass through underground criminal networks before they are used further.

Unfortunately, the black market for selling personal data is massive and ubiquitous, therefore it is not always possible to predict the longer-term effects until more time has elapsed and data has been passed on through a number of channels.


MoneySavingExpert also reported on the breach and were concerned that customers who had details hacked were being given differing advice from card providers - with some issuing new cards whilst others merely stated that customers should watch their accounts for any unusual transactions.

The website has a handy guide for anyone affected with details of some of the main bank's advice to customers and useful security tips that may prevent further breaches.


Implementation of a good VPN or virtual private network cannot be emphasized strongly enough for those who deal with public networks and require sophisticated functionality, data security, and information management.

Along with an effective information security management plan, VPN's can effectively prevent hackers and what is know as geo-spoofing of locations and will also keep personal information safe and prevent the type of hack that happened at British Airways. Avast is a secured VPN used by a lot of companies, yet there are plenty of other great choices too.

Of course, a VPN is not enough. Network segmentation is highly advisable, which means if someone hacks into one part of your system they won’t be able to access elsewhere too. You also need encryption, as well as multi factor authentication for anyone who is accessing your network. A password is not enough for people to verify who they are anymore. You can refer to the PCI DSS guidelines for full information on how to secure your data.

To conclude, data breaches seem to be happening all of the time. However, you can learn from the mistakes others have made.